Security Roundup - 2016-07-20

Last week I happened to miss this great interview with Mårten Mickos, the CEO of the HackerOne bug bounty platform. This week, HackerOne has announced their ‘Hack the World’ competition, where all reports submitted on the platform from now until September 19th will give you an opportunity for further prizes.

Automotive security seems to be ramping up, with several bug bounties related to them, as well as security vendors selling solutions aimed at manufacturers.

Watcher of Mr. Robot? You might be interested in this article detailing the amount of realism that goes into making the show.

Google is apparently experimenting with post-quantum computing crypto. They have started to roll out a new encryption algorithm called “Ring Learning with Errors” that users of ‘Chrome Canary’ will be able to take advantage of, while Google gets a better sense of ‘real world performance’.

More security appliance problems recently. The first from Juniper, where specially crafted authentication certificates would allow anyone to connect to the network. The second comes from Cisco, where an attacker could crash routers, also another vulnerability where attackers could actually modify settings using SNMP.

New problems with old RFCs lead to the ‘httpoxy’ vulnerability reported this week. This is apparently due to the documented behavior for CGI handling headers is to append ‘HTTP_’ to them, thus making ‘PROXY’ into ‘HTTP_PROXY’, which is an actual environment variable for configuring an outbound proxy. This potentially means that for certain CGI apps, an attacker could configure a host to send all outbound http requests through a proxy they specify. Cloudflare and Akamai customers are already automatically protected.

BreakingMalware has recently discovered that the usage of ‘hooks’, a method to intercept and monitor system calls, commonly used for things such as Antivirus are exploitable

In more machine learning and cybersecurity news, a few companies point out it is likely to be more of a hybrid approach between automated algorithms and human review. The automated algorithms work to surface the most important stuff, weed out false positives, and flag everything else for reviews by the human element, with the human element providing said review to produce a feedback loop to improve results. The advanced problem is creating systems that aren’t able to just detect known problems, but to flag new things that are not initially noticed as problems, similar to antivirus movement away from signatures to more robust forms of malware detection.

2016 has been a big year for Ransomware and Checkpoint has put together a good writeup of executable evolution. It is an interesting read contrasting the one set of ransomware becoming more difficult, while others are going for simplicity and effectively using the social lever of fear to just get them to pay up quickly.

Researchers from the University of Florida have put together a ransomware detection system. Rather than basing it on signatures, their system (dubbed CryptoDrop) monitors for behavioral changes, such as mass deletions or certain transformations which are indicative of ransomware. They claim to detect more than 500 variants from 14 families, with small amount of file loss (median of 10 files).

As always BleepingComputer has the best ransomware roundup. This week includes ransomware faking other ransomware, new evolutions to existing ransomware, and CryptXXX releasing free decryption keys for old variants.

I’ll be at this year’s HOPE conference. Lots of great talks, and hope to meet some interesting people!

Security Roundup - 2016-07-14

Troy Hunt recently released unverified breaches for HaveIBeenPwned, due to the recent Badoo breach, where the dataset lies somewhere between a hoax and “can’t be conclusively verified”. The article is another interesting read in the steps he takes to verify breaches.

Datadog has recently suffered a potential breach, but is learning from the other breaches lately by invalidating all user passwords proactively.

Wendy’s was suspected of a breach in some of their PoS systems starting in 2015, and new reports indicate it is very, very bad, with more than 1000 locations impacted. Wendy’s currently blames a third party service provider that manages the PoS terminals for a number of franchises.

Phishing is still a leading way to gain access to a company. Now, DUO Security has launched a free phishing assessment tool called DUO Insight. They’ve also published an article sharing some interesting observations, including that 17% of targetted users actually entered credentials, out of date browsers/software detected on end user computers, and a few ways to make a phishing attempt more likely to succeed.

Some enterprising researchers recently created some TOR hidden service honeypots and, after making a bunch of requests through the TOR, found that their hidden services eventually came under attack. Their conclusion: there are TOR nodes designed to spy and find hidden services. They are scheduled to present at DefCon this year. While the TOR developers are working to strengthen the system, MIT researchers have announced the development of a potential successor, building on the lessons learned from TOR.

As voice activated assistants become more pervasive, security researchers have demonstrated voice based attacks, where they are able to play a muddled video sample that humans can’t interpret but the voice assistant can. The video demonstrates opening up a website, which could introduce additional code to the device.

Microsoft’s patch Tuesday includes this interesting Print Spooler exploit where an attacker could write a service to masquerade as a printer and cause a machine to download ‘printer drivers’ which could be any sort of executable that the system would trust.

Law enforcement and insurance companies seem to be catching up to the fact that weak electronic vehicle security is leading to an increase in thefts.

As always, BleepingComputer has the best ransomware roundup. New families from the makers of Cerber. CryptXXX changes, in that no special extension being used to evade detection. CryptoFinancial, a variant that actually deletes your files!

Security Roundup - 2016-07-07

More hardware security vulnerabilities this with, with a firmware problem on certain Gigabyte motherboards impacting such laptops as the Lenovo Thinkpad series and HP Pavilion laptops, allowing for the disabling of numerous security protections and running of arbitrary code. Also, Duo labs reports that a large number of Android devices are vulnerable to previously patched CVEs (specifically, this Qualcomm exploit that undermines full disk encryption, as they have yet to receive an update and may never do so due to the way OEM/carrier patch rollouts work.

As the volume of threat intelligence increases, more groups turn to machine learning to try to sort the signals from noise. MIT’s Computer Science and Artificial Intelligence Lab have apparently developed a system called AI^2 which apparently is able to monitor logs and detect 85% of of attacks, allowing for a reduction of what needs to be reviewed by human beings.

My co-worker, Josh Rendek, recently put together a presentation on a side project of his called sshpot. He has followed up by writing up some of his thoughts, process, and findings from building an SSH honeypot.

TrapX labs has released a report entitled “Anatomy of an Attack – Medical Device Hijack 2”, giving an update on their observations of Hospital focused malware. Interestingly, they are seeing old exploits delivering new payloads, seemingly a result of medical devices being older Windows devices in many cases.

DARPA apparently running a ‘Cyber Grand Slam’ in August, where bots will compete to automatically exploit vulnerabilities, as well as defend against them on the fly. I am looking forward to the reports and follow up of this event.

TrustWave has an interesting article on reverse engineering the Hawkeye Keylogger which is also using very old exploits to try to install itself.

Login security basics: Long passwords, HTTPs, password hashing. Right? Troy Hunt has a long week of appsec issues, where various players forget the basics.

Interested in smart appliances, but worried about security? This week I learned of Matther Garret, a security researcher in SF that has started writing security oriented product reviews about IoT devices.

I knew Domain Hijacking was a thing, but this week I learned that bad actors also try to hijack IPv4 netblocks. Simply by checking for unmaintained WHOIS records, registering the lapsed domain and posing as the legitimate company, attackers are apparently able to successfully flip IPv4 addresses to buyers.

As always, BleepingComputer has the best Ransomware Roundup. This week includes new Locky Variants, a ransomware named ‘EduCrypt’ that attempts to educate users on malware, numerous decryptors for the numerous variants, and Satana a ransomware that not only encrypts your files, but encrypts a machines Master Boot Record to prevent users from starting up their operating system.

Security Roundup - 2016-06-30

Apple makes further security transparency strides by leaving their next iOS kernel unencrypted. Apple has previously obscured this, but the hope is that with a more open kernel, security researchers will have an easier time finding and reporting security issues. Some security researchers say, however, that this could lead to additional attacks against the OS. Kasperksy collects some further arguments on either side.

Uber’s bug bounty program has resulted in some interesting results from researchers. Sophos labs has a nice writeup of one team’s findings, using a number of smaller leakages to work up to a larger data leakage. Going back to their original post detailing their overall process is a great read as well, including a brute force promo code vulnerability, the ability to track where drivers have been, as well as trip history of other users.

TOR has added ‘Selfrando’ to strengthen the user browser. This technique involves randomizing the location of code in memory. This prevents ‘code re-use’ attacks, where an attacker can target known code loaded in memory to try to make it do unexpected things.

Rapid 7 has done some follow up on the recent discovery of being able to issue administrative commands to ClamAV remotely by scanning the internet for exposed nodes and performing some analysis. In general, under 6k nodes across the entire internet are exposed. They believe a number of these are systems that the owner doesn’t realize ClamAV is installed on (or have forgotton).

Related, Symantec has announced that a number of products are subject to a system level vulnerability. This is related to a number of archive software vulnerabilities, which can cause malicious code to be executed just by Symantec AV scanning it. Since the scanner runs with elevated privileges, this allows an exploit to compromise the entire machine.

DDoSes are still a popular attack method, but Sucuri has been surprised by the rise in IoT device participation in said attacks. where a recent attack included 25K compromised CCTV cameras.

In another great article by Sucuri, malicious ads appear to be hosted on parked/expired domains. Findings include a CMS template that linked third party content that was no longer maintained, and so bought up by someone monitoring for expired domains with live links. The importance of hosting your own assets, vs hotlinking, though the W3C just recommended the usage of Subresource Integrity of assets to verify that some asset that is delivered is the one expected. Usage of SRI would protect over 50% of web browser traffic.

The Talos research group has an excellent article on how malware uses DNS to exfiltrate data and how one can use Passive DNS to detect these attacks.

Malware Bytes put together an amazing infographic on the Bonnie and Clyde of Advanced Threats. Malvertising and Ransomware, two threats that multiply their overall potential together. Shockingly, they estimate that 70% of malvertising campaigns are delivering ransomware now.

As always, BleepingComputer has the best roundup of ransomware. This week includes the return of Necurs and Locky, as well as multiple new types of ransomware.

Security Roundup - 2016-06-23

Fallout of the recent password leaks has continued as vendors such as Github, TeamViewer, and GoToMyPC all being victims of account/password reuse attacks. They have all stressed the importance of 2 factor auth.

Summer is upon as, as is some of the larger US based security conferences. Hackaday has an interesting article highlighting the importance of talks, but also delving into Network Security Theater, where some individuals have made wild claims, and then bailed in several occasions for unknown reasons. In a number of them, just the basic concept of the proposed talk led to multiple security researchers to quickly replicate the results.

The Pentagon recently released the results of their bug bounty program. From the HackerOne summary, 1,410 participants submitted 1,189 reports detailing 138 unique, valid vulnerabilities across a number of webapps. Common vulnerabilities appear to have been XSS and CSRF related, with some more severe SQL injections discovered as well. The Pentagon has touted this as a success citing cost savings, innovative approaches, and community building that would not occur under a more traditional security audit.

Last week Kaspersky labs uncovered the xDedic underground marketplace that was selling RDP access to compromised servers. This week, they analyze a public leak of hosts that allegedly compromised. They found a high correlation with their own observations, but interesting results that pushed US and UK servers to the top of their list of countries with most compromised servers. Their hypothesis is that a lot of servers are quickly sold, and their initial observations were potentially just the tip of the iceberg.

This year has seen a number of archive library related CVEs and Talos Security spins another tale of Poisoned Archives, detailing 3 more such vulnerabilities. All these vulnerabilities are due to validate input, and unfortunately can lead to remote code execution. Click the link if you are interested in the nitty gritty details.

In malware news, Checkpoint points out some interesting evolutions. One mobile malware variant that steals money sent via SMS is now hijacking the raw SMS data at the system level. Viking Horde is a new mobile malware with the intent to create a fraud related botnet on Android phones. And a ransomware variant called Flocker is apparently infecting Smart TVs. Additionally, they have published an updated Top 10 “Most Wanted” Malware. Conficker continues to be at the top, but otherwise there is a lot of movement on the board.

I found the SmartTV news interesting, when I also read Akamai’s recent post on Account Takeover Campaigns, where they noticed what they believe to be infected routers taking place in botnets used to try to break into accounts.

Trend Micro contributes with the discovery of ‘Godless’, an android malware program that tries to root a phone and then silently install other apps.

MalwareBytes, on the other hand, has a rundown on the disappearance of the popular Angular exploit kit, as well as an analysis of recent activity in the Necurs Botnet, which apparently took a bit of vacation recently, as well as a scope of its operations.

Finally, Etherium, a bitcoin alternative, has had some problems this week. One of the large contracts called The DAO had an implementation flaw that allowed an attacker to begin draining the currency into another account. Value in the currency plummeted after the news of the attack, and there is some belief that the hacker hedged their bets by shorting the currency. The people behind Etherium have released a blog post on ‘Thinking About Smart Contract Security’, detailing a number of poorly coded contracts. The current lesson appears to be that writting ‘smart’ contracts can be just as hard as real ones, and errors can be magnified since they are deliberately automatic, trying to avoid human arbitration. Conversely, given their public nature, they are potentially easier to exploit by a third party. A number of cryptocurrency enthusiasts have shown that programming issues appear to be somewhat common in the smart contract space at the moment.

Page 17 of 23